漏洞概要 关注数(24) 关注此漏洞
缺陷编号:wooyun-2014-060452
漏洞标题:墨迹天气登陆逻辑有误导致可以暴力破解
相关厂商:mojichina.com
漏洞作者: 路人甲
提交时间:2014-05-16 10:50
修复时间:2014-06-30 10:51
公开时间:2014-06-30 10:51
漏洞类型:设计缺陷/逻辑错误
危害等级:中
自评Rank:10
漏洞状态:厂商已经确认
漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]
Tags标签: 无
漏洞详情
披露状态:
2014-05-16: 细节已通知厂商并且等待厂商处理中
2014-05-19: 厂商已经确认,细节仅向厂商公开
2014-05-29: 细节向核心白帽子及相关领域专家公开
2014-06-08: 细节向普通白帽子公开
2014-06-18: 细节向实习白帽子公开
2014-06-30: 细节向公众公开
简要描述:
登陆的时候 虽然有验证码 但是在后端验证的时候 并没有先验证验证码的正确性
详细说明:
登陆错误超过3次 会有验证码 出现
但是同样可以验证某个用户是否存在
使用网上泄露过的用户名(只用了5W用户) 进行尝试 发现将近1000用户
漏洞证明:
使用几个弱口令 发现以下用户
------------pass 123456 begin
null KECHA@YEAH.NET
null vicroad@gmail.com
null hzpchan@gmail.com
null r_icky@163.com
null zlhacker@sohu.com
null rizhaofeng@126.com
null yujing0369@163.com
null zzhou998@qq.com
null magiceye@163.com
null huang@tom.com
null liu_sijia@126.com
------------pass 123456 end
* ------------pass 111111 begin
null unauthorised@sina.com
null lynnlni@gmail.com
null 936193624@qq.com
------------pass 111111 end
* ------------pass 000000 begin
null lhkzyg@126.com
------------pass 000000 end
* ------------pass 123123 begin
null rzheny@126.com
null dennis1129@163.com
------------pass 123123 end
{"data":{"code":0,"createTime":1388984078000,"email":"vicroad@gmail.com","mobile":null,"msg":null,"nick":"vicroad","sessionId":"C7395399AA198E74BD459E0780782912","snsId":11368777,"snsName":"vicroad@gmail.com","status":"1","type":"0","userId":173956414,"password":"CD5B83B4316436A8B73347A6BD9D4A72","userType":1,"emailStatus":1,"mojiForum":0,"face":"http:\/\/ugcface.moji001.com\/images\/sns_user_face\/2014\/1\/6\/face_113687778233173463481587298.jpg"},"code":0}
{"data":{"code":0,"createTime":1385866116000,"email":"zlhacker@sohu.com","mobile":null,"msg":null,"nick":"yangyang002","sessionId":"E1AA141A81634531A007CAE4D914E3D1","snsId":10102361,"snsName":"zlhacker@sohu.com","status":"1","type":"0","userId":146437603,"password":"CD5B83B4316436A8B73347A6BD9D4A72","userType":1,"emailStatus":1,"mojiForum":0,"face":""},"code":0}
密码虽然是hash值 但是在登陆的时候可以无限尝试 得到明文对应的hash值
{"data":{"code":3,"createTime":null,"email":null,"mobile":null,"msg":"\u5bc6\u7801\u9519\u8bef","nick":null,"sessionId":null,"snsId":null,"snsName":null,"status":null,"type":null,"userId":null,"password":"CD5B83B4316436A8B73347A6BD9D4A72","loginErrNum":93178},"code":0}
修复方案:
修改验证逻辑
版权声明:转载请注明来源 路人甲@乌云
漏洞回应
厂商回应:
危害等级:中
漏洞Rank:6
确认时间:2014-05-19 16:20
厂商回复:
我们已修复登入过程中的验证逻辑,感谢提醒!
最新状态:
暂无